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Adjustable Autonomy Testbed 

Jane T. Malin and Debra K. Schreckenghost 

The Adjustable Autonomy Testbed (AAT) is a simulation-based testbed located in the Intelligent 
Systems Laboratory in the Automation, Robotics and Simulation Division at NASA Johnson 
Space Center. The purpose of the testbed is to support evaluation and validation of prototypes of 
adjustable autonomous agent software for control and fault management for complex systems. 
The AAT project has developed prototype adjustable autonomous agent software and human 
interfaces for cooperative fault management. This software builds on current autonomous agent 
technology by altering the architecture, components and interfaces for effective teamwork 
between autonomous systems and human experts. Autonomous agents include a planner, flexible 
executive, low level control and deductive model-based fault isolation. Adjustable autonomy is 
intended to increase the flexibility and effectiveness of fault management with an autonomous 
system. The test domain for this work is control of advanced life support systems for habitats for 
planetary exploration. The CONFIG hybrid discrete event simulation environment provides 
flexible and dynamically reconfigurable models of the behavior of components and fluids in the 
life support systems. Both discrete event and continuous (discrete time) simulation are 
supported, and flows and pressures are computed globally. This provides fast dynamic 
simulations of interacting hardware systems in closed loops that can be reconfigured during 
operations scenarios, producing complex cascading effects of operations and failures. Current 
object-oriented model libraries support modeling of fluid systems, and models have been 
developed of physico-chemical and biological subsystems for processing advanced life support 
gases. In FY01, water recovery system models will be developed. 
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Operations Concepts for Life Support 

Autonomous control systems should operate safely without eyes-on, 
vigilance monitoring 

- Implement safe operations with well-defined protocols at boundary conditions 

- Provide strategies for notifying humans when interesting or unusual events 
occur or a need for manual action arises 

- Support remote monitoring of systems 

- Generate activity histories and event summaries 

Human support is performed by exception - during critical operations, 
anomalies, or unusual situations 

- Support novel manual operations in response to anomaly or opportunity 

- Permit human override of automation 

- Operate autonomous system continuously, even when human is in control 

Operations results from LMLSTP Phase III Test (Fall, 97) 

- Engineer workload with automated control system 

• 6-8 hrs per week on console, plus 6 hrs every 4 days for incineration and 3 hours 
every 20 days for planting/harvesting 

- Tasks with human-in-the-loop: incineration, plant/harvest, calibration 


Adjustable Autonomy Testbed 


Purpose 

- Develop automated control software that supports human-in-the-loop 
operations 

- Provide a simulated life support environment to develop and test this control 
software 

Approach 

- Add improved capability for user to monitor and command control processes 
in 3T 

• Displays that provide an overview of system operations (e.g., ARS) and 
summarize control activity history 

• Notification of faults and automated actions in response to them 

• Electronic procedures for manual commands 

- Provide new fault detection capability that complements anomaly handling 
in 3T 

• Integrate with model-based fault diagnosis software from Ames (Livingstone) 


Three Tier (3T) Control Architecture 


Planner (AP): predicts activities to achieve 
control objectives 

- Represents and assigns tasks to multiple 
agents 

- Monitors plan execution, detects plan 
execution failure, and replans at failure. 

Sequencer (RAPs): selects and orders 
procedures to implement planned activities 

- Chooses procedures reactively, based on 
current state of environment. 

- Allocates procedure steps to specific skill 
managers 

Skill Manager: implements procedure 
steps as closed loop control 

- Skills are activated to issue commands to 
control instrumentation 

- Events are activated to monitor sensor 
readings in response to control 


Planner 






3T Example: Prepare for Incineration 


PLANNER 


SEQUENCER 


SKILL MANAGER 


Accumulate 02 for incineration 




Task: Prep for Incineration 


Method: prep-started 

Context: not prep-for-incineration 
Actions 

1. Empty 02 buffer tank I 

2. Stop 02 transfer I 



3. Issue message 


Skill: Turn on pump 

Skill: Close 02 isolation valve 
Skill: Turn off pump 


02 accumulation complete 




Method: monitor-o2-pressure 

Context: prep-for-incineration 
02 reservoir not full 

Actions 

1. Measure reservoir pressure ^ 

Method: prep-complete 

Context: prep-for-incineration 
02 reservoir full 

Actions 

1. Mark 02 reservoir full 

2. Issue message 


Event: measure o2 pressure 


Enhancing 3T for Improved User Interaction 


Monitoring system operation 

- Displays providing an operational overview 

- Histories of control activities and their consequences 

- Notification of faults and automated actions in response to them 

Commanding 3T control system 

- Electronic procedures for manual commands 

Potential for reuse 

- Electronic procedures and displays for new subsystem with creation of 
new configuration files 

- Remote access to new displays with 3T modification to export raps data 

- Centralized data logs with modification to j Forwarder 


Monitoring ARS Operation 


Operating Mode 
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Reviewing Histories of Control Activities 
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MONITOR -VCCR 


HANDLE-VCCR -ALERTS 

put -out -warning vccrskm (even low low even low low even even low) 
handle -mir-faults £<resource: nil > 
tum-pump-p vccrskm blower off 120 
no-op mir-blower-problem 
tum-pump-p vccrskm blower on 120 
RESTORE -CONFIGURATIONS 
no-op nothing-to -restore 
CHECK- VCCR -CONFIG 
configure -veer hcl air_save 
configure -he -adsorb hcl 
configure -he -adsorb -p vccrskm hc l 120 
tum-heater-p vccrskm hc2 off 120 
tum-heater-p vccrskm hcl off 120 
configure -desorb -state -p vccrskm hcl air save 120 

GCOLLECT 




Commanding the ARS Control System 


Select a Procedure 



Procedure Step 


Text Instructions & 
Annotations 


Conditions Prior to 
Task Execution 


Effects of Task 
Execution 


Execute a Procedure 










Enhancing 3T with Model-based FDIR 


NASA Ames has developed a model-based state assessment tool called 
Livingstone 

- System Model 

• Components connected by data paths 

• Each component model includes nominal and fault states with transition conditions 

- Use of this model 

• Assess the most likely state by reasoning about the expected and observed 
consequences of commands 



Caution and Warning with Livingstone 


Mode Diagram for VCCR Blower Pump 



Table of VCCR Livingstone Modes 


VCCR Livingstone - Monitor change 
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AAT Demonstration: Architecture 



Closed Loop Control 
Skill Manager 


commands, states 


actuation 


Procedures 


RAPS 


task status, user queries 


modes 


Fault Detection 
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Simulated Environment 
CONFIG 


Operation of Air Revitalization System (ARS) 



Operation of the VCCR 



VCCR normally operates autonomously 

^ Human operations 

• Startup and shutdown system 

• Inform system of HX state 

> Livingstone identifies nominal and failure 
states 





Demonstration Scenario 


Nominal Case: Startup the 3 systems of the air system 

- VCCR: removes C02 and stores it in a tank 

- CRS: converts C02 and H2 to H20 and methane 

- OGS: convert H20 to 02 and H2 

Failure Cases: Air blower or heat exchanger turn off unexpectedly 

- Livingstone detects the failure based on temperatures from skill manager 
and notifies the sequencer 

- Sequencer selects and executes recovery procedures in response to the 
failure notification 

• Blower: sequencer automatically turns the blower back on 

• Heat Exchanger: sequencer asks human to turn the heat exchanger back on 

- Skill manager issues procedure commands to the sim and receives data 
from sim indicating commands have taken effect 

- Livingstone notifies sequencer when the fault has been corrected and 
nominal control resumes 

- Throughout, human can monitor the activity as it occurs or after the fact 


